Audit Manual: Universal Template

Insights
Key takeaways

This template generates a fully GIAS-compliant Audit Manual based on your organisation details. Thirteen sections covering strategy and annual planning through QAIP and coordination with other assurance providers. Fill in the placeholders and copy directly into your own document environment.

Enter your organisation details

✓ Copied to clipboard
Audit Manual
ORGANISATION NAME
Version 1.0  |  Effective date: DD-MM-YYYY  |  Conforms to: CHARTER REFERENCE
Section 1

Introduction

This Audit Manual describes the working practices of the Internal Audit Function (IAF) of ORGANISATION NAME. The manual has been prepared in conformity with the Global Internal Audit Standards (GIAS) of the Institute of Internal Auditors (IIA) and supplements the Internal Audit Charter (CHARTER REFERENCE).

Where the charter establishes the position, mandate and independence of the IAF, this manual describes how the IAF carries out its activities in practice: from strategy and planning to reporting, follow-up and quality assurance.

The audit approach applied is based on METHODOLOGY. This manual takes effect on DD-MM-YYYY and is reviewed annually.

Section 2

Strategy and annual planning

The CAE prepares a risk-based internal audit plan each year. This plan is based on:

  • A current risk assessment of the audit universe (all auditable entities of ORGANISATION NAME);
  • Input from the SUPERVISORY BOARD / BOARD, the AUDIT COMMITTEE and senior management;
  • The strategic objectives of the organisation;
  • Results of prior audits and outstanding recommendations.

The annual plan includes mandatory focus areas in accordance with GIAS Standard 9.2: information technology and cybersecurity, fraud risks, and compliance with laws and regulations.

The audit plan is submitted to the AUDIT COMMITTEE for approval. Material deviations from the approved plan are likewise submitted for approval. An interim revision is performed when significant changes occur in the organisation or its risk profile.

Section 3

Engagement preparation

Every audit engagement starts with a structured preparation phase. The CAE or designated senior auditor prepares an engagement letter covering, at a minimum: objectives, scope, audit period, criteria framework, planned duration and the composition of the audit team.

Independence and objectivity

Before the start of each engagement, all assigned auditors confirm their independence and objectivity. In the event of an actual or potential conflict of interest, an alternative auditor is assigned.

Risk assessment and work programme

Based on the engagement scope, the audit team performs an engagement-specific risk assessment. The outcomes form the basis of the work programme: the structured description of procedures to be performed, criteria framework, required information sources and evaluation criteria.

Consultation with the auditee

The CAE conducts an opening meeting with the responsible manager (auditee) before each engagement to explain the objective, scope and approach, and to reach agreement on the timeline. Material objections are escalated in accordance with Section 8.

Section 4

Performing the engagement

Gathering information

The audit team gathers information using the OIE approach: Observation (direct observation of processes and activities), Inquiry (interviews with staff and management) and Examination (analysis of documents, systems and data). Information is assessed for reliability, completeness and relevance.

Formulating findings

Each finding is documented with: description of the condition (what was found?), the criteria (what should have been?), the root cause, the consequence/risk, and a recommendation addressing the root cause. Findings are prioritised based on risk relevance (high / medium / low).

Fraud risks

The audit team remains alert to indicators of fraud or unethical conduct throughout the engagement. When a concrete suspicion of fraud arises, the CAE is informed immediately, and subsequently determines whether and how to escalate.

Supervision

The CAE or designated supervising auditor monitors the quality and progress of the fieldwork. Significant deviations from the work programme are documented and submitted for approval.

Section 5

Engagement documentation

The IAF maintains an audit file for each engagement containing sufficient evidence to support and reconstruct conclusions. The file includes, at a minimum: the engagement letter, risk assessment, work programme, working papers, interview notes, and the final report including the management response.

Audit files are retained for RETENTION PERIOD after completion of the engagement, in accordance with legal requirements and the retention policy of ORGANISATION NAME. Access is restricted to IAF members and authorised regulators. Audit files are not disclosed to external parties without the explicit consent of the CAE.

Section 6

Engagement reporting

Draft report and contradictory review

After completing the fieldwork, the audit team prepares a draft report. This report is submitted for review to the auditee and responsible management (contradictory review). The auditee is given the opportunity to correct factual inaccuracies and to formulate a management response to each recommendation.

Final report

After processing feedback, the CAE finalises the report. The report contains: background and objective, scope and methodology, overall audit opinion, findings with prioritisation, recommendations, management responses and an action tracking form (ATF).

Distribution

The final report is distributed to: responsible management, the CAE (filing), the AUDIT COMMITTEE (significant findings or upon request) and the SUPERVISORY BOARD (periodic reporting). CAE (filing) and the AUDIT COMMITTEE of the BOARD OF DIRECTORS.

Errors and omissions / Non-conformance

If a material error or omission in the report is identified after publication, the CAE issues a corrected report and informs all recipients. Non-conformance with the GIAS is documented, communicated to the AUDIT COMMITTEE and included in the QAIP reporting.

Section 7

Follow-up and monitoring of recommendations

The IAF monitors the implementation of recommendations through the Action Tracking Form (ATF). Management is responsible for implementation; the IAF confirms execution and effectiveness.

The CAE reports quarterly to the AUDIT COMMITTEE on the status of outstanding recommendations, including overdue and unimplemented items. Recommendations not implemented by the agreed deadline are escalated in accordance with Section 8.

Section 8

Escalation and risk acceptance

When management decides not to implement a recommendation, or to implement it only partially, the CAE documents this as formal risk acceptance. The risk acceptance includes: description of the residual risk, the name of the accepting manager and the date. For risks exceeding the risk appetite of ORGANISATION NAME, the following escalation ladder applies:

  1. Discussion with the responsible manager;
  2. Escalation to senior management;
  3. Escalation to the AUDIT COMMITTEE;
  4. If necessary, notification to the full supervisory body.

The CAE records all risk acceptances and escalation steps in the audit file.

Section 9

Periodic reporting

Quarterly reporting

The CAE reports quarterly to the AUDIT COMMITTEE on: progress of the audit plan (% completed, expected completion), significant findings, status of outstanding recommendations, capacity and budget variances, and any impairments of independence.

Annual opinion (Overall Opinion)

The CAE issues an annual overall opinion on the effectiveness of governance, risk management and internal control of ORGANISATION NAME. This opinion is based on the combined results of all engagements performed during the year.

Thematic reports

In addition to periodic reporting, the CAE may issue thematic reports on cross-cutting or strategic risks, at the request of the AUDIT COMMITTEE or on own initiative.

Section 10

Advisory services

In addition to assurance services, the IAF provides advisory services to the management of ORGANISATION NAME. The following rules apply to advisory services:

  • The IAF does not assume management responsibility;
  • Advisory services must not impair the objectivity of the IAF;
  • When a subsequent assurance engagement covers the same subject, the CAE discloses the previously rendered advisory service;
  • The CAE informs the AUDIT COMMITTEE of significant advisory services.
Section 11

Resource and budget management

Budget

The CAE prepares an annual budget proposal aligned with the audit plan. The budget is approved by the AUDIT COMMITTEE. Material variances are reported.

Staff and competencies

The IAF possesses the knowledge, skills and other competencies required to execute the audit plan. The CAE promotes the continuing professional development of all staff, including certification (CIA and sector-specific qualifications). When specific expertise is lacking for a particular engagement, co-sourcing or external expertise is engaged.

Technology and tools

The IAF uses appropriate audit tools for planning, file management, data analysis and reporting. The CAE periodically assesses whether the available technology remains fit for the mandate.

Section 12

Quality assurance and improvement (QAIP)

Ongoing monitoring

Engagement quality is continuously monitored through supervision (Section 4), file reviews and satisfaction surveys of auditees after each engagement.

Self-assessment

The CAE performs an annual internal self-assessment. The outcomes, together with conformity with the GIAS and the achievement of performance targets, are reported to the AUDIT COMMITTEE.

Performance measurement and KPIs

The IAF measures its performance against KPIs approved annually by the AUDIT COMMITTEE. Minimum indicators: audit plan completion (%), average engagement duration, auditee satisfaction score, recommendation follow-up rate and GIAS conformity opinion.

External quality assessment (EQA)

At least once every five years, the IAF commissions an external quality assessment by an independent, qualified party. The outcomes are reported to the AUDIT COMMITTEE. In the event of a significant non-conformity opinion, the CAE prepares an improvement plan.

Section 13

Coordination with other assurance providers

The CAE coordinates the work of the IAF with that of the external auditor, the risk management function, the compliance function and other internal or external assurance providers. The objectives are: reducing duplication of effort, ensuring comprehensive risk coverage, and increasing the combined added value.

The CAE assesses the extent to which reliance can be placed on the work of other providers (GIAS Standard 9.5) and documents this assessment in the audit file.

Appendix A — GIAS Cross-Reference Table

Per section of this manual, the relevant GIAS principles, standards and DO requirement numbers. ⚠ = critical requirement.

Manual section Principle Standard DO requirement nos. Critical
1 — Introduction PR6 Authorised by the board 6.2 Internal audit charter 1, 4
1 — Introduction PR9 Systematic and risk-based approach 9.3 Engagement objective consultation 1
2 — Strategy & plan PR9 Systematic and risk-based approach 9.1 Engagement portfolio 1, 2
2 — Strategy & plan PR9 Systematic and risk-based approach 9.2 Risk-based planning 1, 2, 3
2 — Strategy & plan PR9 Systematic and risk-based approach 9.4 Internal audit plan 1, 2, 3, 4
3 — Preparation PR13 Planned and well-managed 13.1 Planning objectives 1, 2
3 — Preparation PR13 Planned and well-managed 13.2 Engagement briefing and scope 1, 2, 3
3 — Preparation PR13 Planned and well-managed 13.3 Risk assessment 1, 2
3 — Preparation PR13 Planned and well-managed 13.4 Work programme 1, 2
4 — Fieldwork PR14 Communicating findings 14.1 Gathering information 1, 2
4 — Fieldwork PR14 Communicating findings 14.2 Analysis and evaluation 1
4 — Fieldwork PR14 Communicating findings 14.3 Identifying findings 1, 2, 3
4 — Fieldwork PR14 Communicating findings 14.4 Recommendations 1, 2
5 — Documentation PR14 Communicating findings 14.6 Engagement documentation 1, 2, 3, 4, 5
6 — Reporting PR15 Communicating results 15.1 Final communication 1, 2, 3, 4, 5
6 — Reporting PR11 Communicating conclusions 11.4 Quality of communication 1, 2, 3
7 — Follow-up PR15 Communicating results 15.2 Confirming implementation of recommendations 1, 2, 3
8 — Escalation PR11 Communicating conclusions 11.5 Escalation of significant matters 1, 2
9 — Reporting structure PR11 Communicating conclusions 11.3 Reporting to the board and senior management 1, 2, 3
10 — Advisory services PR6 Authorised by the board 6.1 Internal audit mandate 1
10 — Advisory services PR9 Systematic and risk-based approach 9.1 Engagement portfolio 1
11 — Resources PR10 Well-managed resources 10.1 Resources 1, 2
11 — Resources PR10 Well-managed resources 10.2 Staff 1, 2, 3
11 — Resources PR10 Well-managed resources 10.3 Technology and tools 1
12 — QAIP PR12 Quality assurance and improvement 12.1 Internal quality assessment 1, 2, 3
12 — QAIP PR12 Quality assurance and improvement 12.2 Performance measurement 1, 2, 3
12 — QAIP PR12 Quality assurance and improvement 12.3 Engagement supervision 1, 2
12 — QAIP PR8 Under board oversight 8.4 External quality assessment 1, 2, 3
13 — Coordination PR9 Systematic and risk-based approach 9.5 Coordination with other assurance 1

Appendix B — Preparation Checklist

Use this checklist at the start of every audit engagement. Blockers (marked in red) must be cleared before fieldwork can begin.

General
# Topic Question Evidence GIAS Weight
1 Independence and objectivity of the audit team ⚠ Blocker Is the audit team (auditors and CAE) independent and free from actual or perceived conflicts of interest with respect to the audit object? Signed independence confirmations; absence of past involvement with audit object; documentation of team rotation. Independent: not responsible (currently or previously) for the audit object, not involved in an advisory engagement in the past 5 years, no limitations imposed on scope or access to information / persons / systems, etc. Objective: weigh/discuss the risk of bias (regarding stakeholders / controls), be aware of any preconceptions about persons / situations so the team / reviewer can apply additional scrutiny. 2.3 3
2 Competencies and expertise of auditors Does the audit team possess the required competencies for this audit? What is the role allocation? Audit team profile; training and experience documentation; competency-audit fit assessment. Appropriate and sufficient resources based on the nature and complexity of each engagement, the time constraints and the available resources. 3.1 3
3 Availability of required knowledge, skills and capacity Does the team have sufficient knowledge, experience and resources to carry out the audit professionally? Skills matrix, team CVs, training logs, evidence of external consultants or experts contracted. 13.5 2
4 Organising internal quality review Has an independent internal review been organised and is the reviewer sufficiently qualified? Internal review assignment in planning; review checklist template; reviewer's name and independence confirmation. 12.2 3
5 Risk analysis of the audit object Have the relevant risks for the audit object, including fraud and non-compliance risks, been identified and analysed? Risk assessment worksheet, fraud risk considerations, risk register excerpts, stakeholder interviews. Document outcomes (risks) in the engagement plan or separately in the audit file. 13.2 3
6 Explicitly addressing ethical/fraud risks Have ethical and fraud risks been identified and included in the risk analysis and planning of the audit? Ethical risk assessment notes; stakeholder interviews; fraud/ethics checklist in planning. 1.2 2
7 Explicitly addressing non-compliance risks Have the relevant laws and regulations been identified and has non-compliance been included in the risk analysis and planning of the audit? Risk analysis notes, stakeholder interviews. 13.2 2
8 Describing the rationale What is the rationale for the audit? For example, it originates from the annual plan, but also why this audit was included in the annual plan. Consider focus areas, risks, weaknesses and developments/changes. 1
9 Preparing a high-level schedule Describe (e.g. which quarter) the audit is expected to be performed. Also determine whether there are factors influencing the schedule, e.g. holiday periods. 1
10 Relevant developments or outstanding items What developments are relevant to include in the plan? Are there known vulnerabilities/issues and are there any outstanding actions (audit findings)? 1
Engagement plan / Criteria framework
# Topic Question Evidence GIAS Weight
1 Establishing audit objectives and scope Have the objectives and scope of the audit been established in line with the purpose and organisational objectives? Documented engagement objectives and scope in the audit planning file; approved audit notification letter. 13.3 3
2 Identifying the auditee Does the plan describe who the auditee is in relation to the subject? 1
3 Confirming agreements with auditee via engagement plan Have the agreements with the auditee regarding the engagement been documented and confirmed in advance? Audit announcement email, signed engagement letter, documented scope confirmation. Document outcomes (agreements/confirmation), e.g. email confirming the engagement plan or details separately in the audit file. 13.4 2
4 Preparing the (audit) plan Has an (audit) plan been prepared in which the activities are linked to the objectives and scope? Approved work program; mapping of procedures to objectives; audit planning memo. The IAF does not use detailed work programmes prescribing every audit activity in advance. For audits, an audit plan is prepared; for other engagements, a brief engagement confirmation or approach memo may suffice. In this checklist we refer to "(audit) plan". 13.6 3
5 Engagement sponsor Does the plan describe who the engagement sponsor is for this audit? 1
6 Preparing the criteria framework Has a sufficient (specific and testable) criteria framework been prepared for the audit (covering at least the key risks or process steps/project phases)? Required for audits; for other engagements, this depends on the agreed scope. The term 'work program' is not translated as a rigid set of procedures, but reflects the preparatory work performed and communicated (via the audit plan/engagement plan and criteria framework) to achieve/answer the objectives and audit questions within scope. 13.6 3
7 Incorporating topical requirements in the criteria framework Is a relevant Topical Requirements document available for this subject? See: https://www.theiia.org/en/standards/2024-standards/topical-requirements/ Mandatory element within the broader IPPF. 2
8 Identifying stakeholders Is it clear which other stakeholders are relevant for obtaining the right information and have these individuals been included in the audit plan? 1
9 Aligning with stakeholders Has alignment been reached with stakeholders on the purpose, scope, timing and responsibilities of the audit? Records of communication with sponsor; meeting notes or emails confirming agreement on purpose, scope, outcomes, responsibilities. Consider specific enabling / constraining factors for this engagement and their impact on stakeholder alignment and the engagement plan. 13.1 2
10 Detailed schedule Does the plan contain a detailed schedule (e.g. a weekly Gantt chart) and are the different phases and deliverables included? 1
11 Aligning risk analysis with auditee In the case of an audit: has the auditee's assessment of the effectiveness of control measures (gross vs. net risk) over which assurance is sought been documented? The manual's preparation phase calls for making an independent risk assessment and documenting the auditee's assessment of the effectiveness of control measures (gross vs. net risk) over which assurance is sought. Typically documented using a heat chart. 2
12 Aligning criteria framework with auditee Has the (draft audit) plan including the criteria framework been aligned with the auditee? Document this, e.g. by email or in the file (OneNote). Verify that the auditee is sufficiently familiar with the intended criteria and that those criteria genuinely match the auditee's view on management control. 2
13 Aligning criteria framework with controller Has the (draft audit) plan including the criteria framework been aligned with the controller? Document this, e.g. by email or in the file (OneNote). (Required for audits; for other engagements, explain why no alignment took place if applicable.) 2
14 Alignment with Privacy Officer / DPO For a privacy audit, has the report been aligned with the Privacy Officer and the Data Protection Officer? Document this, e.g. by email or in the file (OneNote). Alignment with the DPO is required for privacy audits; for other privacy engagements, explain why no alignment took place if applicable. 1
15 Communicating IIA compliance Standard text: has it been considered to include the statement "In conformance with the Global Internal Audit Standards"? 4.1 1
16 Review of the (audit) plan Has the (audit) plan been reviewed and are all review comments resolved? (Perform review demonstrably: track changes in digital document or scan annotations on hard copy.) 12.3 3
17 Sending the (audit) plan Has the final (audit) plan been sent to at least the engagement sponsor and the auditees? 13.1 2

Appendix C — Fieldwork Checklist

Use during the fieldwork phase.

# Topic Question Evidence GIAS Weight
1 Timely escalation of issues or deviations from the plan Were deficiencies and bottlenecks during fieldwork reported to relevant stakeholders and the CAE in a timely manner? Escalation logs; issue memos; notifications to senior management. For significant deficiencies, the CAE informs the auditee and engagement sponsor on an interim basis. This prevents surprises when discussing the draft audit report. The engagement sponsor is also informed of any delays in progress. Ensure that the engagement sponsor remains informed of delays or noteworthy developments throughout the audit. Ensure that new expectations or developments are shared with you so they can still be addressed. 14.5 2
2 Gathering and analysing information Was sufficient and relevant information gathered and analysed using an appropriate method? Interview notes; data extracts; observation logs; collected documentation. Workpapers; audit file index; document review notes. The IAF applies the DIE approach (see manual for the approach and what to document when testing the design, implementation and/or effectiveness of controls). The IAF does not perform root cause analyses as standard practice (as those constitute different types of investigations), but the information gathered must be sufficient to support the findings. 14.1 3
3 Sufficient and accurate documentation of work performed Were the work performed, analyses and findings adequately documented? Interview notes; data extracts; observation logs; collected documentation. Workpapers; audit file index; document review notes. The IAF applies the DIE approach (see manual for the approach and what to document when testing the design, implementation and/or effectiveness of controls). The IAF does not perform root cause analyses as standard practice (as those constitute different types of investigations), but the information gathered must be sufficient to support the findings. 14.2 3
4 Supporting documentation Do findings based on documentation include correct references to the audit file? Analysis summaries; root cause analysis charts; audit matrices. If external parties were engaged, ensure their working papers are also included in the audit file. 14.6 3
5 Conclusion/score ⚠ Blocker Do all criteria have a conclusion/score with clear supporting narrative? Evaluation tables; audit evidence comparisons; deviation logs. Ensure that a third party (e.g. reviewer) can clearly understand how the conclusion/scores per criterion were constructed. 14.3 3
6 Validating findings with the auditee Were significant findings discussed or verified with the relevant stakeholders? Meeting notes; confirmation emails from auditee; validation documents. To ensure that the information received is correctly translated into findings, the findings per criterion are discussed with the responsible person (typically via email). 14.4 3
7 Quality of documentation Is the documentation of work performed, findings and conclusions structured so that an independent third party (e.g. reviewer) can reproduce and understand the audit? Review notes, file structure with version control, work programmes with references, reviewer feedback 14.6 2
8 No unnecessary documentation in the file Have unused documents been removed from the file or placed in a separate "other" folder (e.g. background information)? 1
9 Alignment on deviations from the audit plan/criteria framework Were any changes to the approach made after the review of the audit plan / criteria framework discussed with the reviewer? 2

Appendix D — Completion Checklist

Use during the completion phase. Blockers prevent publication of the final report.

Draft report
# Topic Question Evidence GIAS Weight
1 Content Is the draft report complete, accurate, readable, balanced (positive and negative points), and do the conclusions and key findings align with the objective and scope from the audit plan? Draft report, review notes, correction logs, reviewer comments processed in the file 11.3 3
2 Recommendations Are recommendations logically derived from findings, feasible and realistic (SMART where possible)? Draft action plan tables, proposed improvement measures, feasibility justification 14.4 3
3 Draft report: structure and consistency with audit plan Is the report consistent with the audit plan? Does it include the objective and scope? 15.1 2
4 Disclosure of noteworthy matters Were noteworthy matters or deviations in the engagement or fieldwork (e.g. change in scope, uncertainties, imposed limitations) identified? 11.4 2
5 Conclusion Does the report contain a conclusion that fully addresses the original objective? 14.5 3
6 Accuracy and consistency Is the final report consistent with the audit file, and are any changes compared to the draft substantiated? Final report, change log compared to draft, explanation of deviations in the file 11.4 2
7 Performed in conformance with GIAS Was it considered to include the statement "In conformance with the Global Internal Audit Standards"? The final engagement communication may include a statement that the engagement was performed in conformance with the Global Internal Audit Standards, but only if this is supported by the results of engagement supervision and the quality assurance and improvement program. 1
8 Ethics and objectivity Were there no objectivity or independence impairments throughout the engagement, and were any impairments fully and transparently documented? 2.3 2
9 Due professional care Was the audit performed with sufficient depth and diligence appropriate to the risk and complexity? 4.1 2
10 Distribution restrictions Does the report state that it may not be distributed without approval from the engagement sponsor, the responsible director, responsible manager or Internal Audit, unless the engagement sponsor considers this unnecessary? 1
11 Alignment with stakeholders (if applicable) Was the draft report, where relevant, discussed with the engagement sponsor, DPO/privacy officer (privacy audits) or other designated stakeholders? Emails with engagement sponsor/DPO/privacy officer, notes from alignment meetings 2
12 Auditee response Was the draft report discussed with the auditee for their formal response, and was feedback demonstrably incorporated? 15.1 3
13 Indicators of fraud Were there any indicators of fraud, and if so, was this included in the report or verbally discussed with the engagement sponsor and the corporate control manager? 2
14 Disagreement Is there a disagreement between the auditee / process owner and the (lead) auditor? 2
15 Disagreement Is there a disagreement between the (lead) auditor and the reviewer? 2
16 Quality review Was the internal quality review performed and documented sufficiently throughout the audit? 12.1 3
Final report
# Topic Question Evidence GIAS Weight
1 Management response Has the management response been included in the audit report and/or file (if applicable)? 2
2 Completeness of comment resolution Have all comments/questions received on the draft report been addressed, and is the resolution documented in the file? 2
3 Unchanged conclusion Has the conclusion in the final report remained unchanged compared to the initial draft, and if not, does the file document the rationale for the change? 2
4 CAE approval ⚠ Blocker Has the final report been formally approved by the CAE, thereby placing it under the CAE's ownership, before it was communicated or distributed to stakeholders? CAE approval email, signed report, workflow confirmation 11.3 3
5 Distribution of the final report Was the final report distributed to all relevant stakeholders in a timely and complete manner in accordance with the manual, and is proof of delivery available? Distribution list, dispatch logs, email with timestamp 15.1 2
6 Scheduling at Executive Board Has the final report been scheduled for the Executive Board agenda (and is it known that the relevant manager may attend the Executive Board discussion)? Note: for privacy audits, include the DPO's response in the Executive Board agenda item. 1
Action Tracking Form (ATF)
# Topic Question Evidence GIAS Weight
1 Action Tracking Form (ATF) Have all findings been translated into an ATF containing at minimum: management action, action owner, deadline? And is the ATF consistent with the report? ATF, Executive Board agenda item, SMART actions included, confirmation of ATF dispatch 14.4 3
2 Detailed findings underlying the findings listed in the ATF traceable? Does the agenda item state whether the ATF contains all findings or a condensed version of the key elements from the final report? 15.1 2
3 Management actions in ATF Has the follow-up and monitoring of action plans been ensured (through Executive Board decision-making)? Follow-up logs, implementation confirmations from action owners, monitoring dashboards 15.2 2
4 Distribution of the final ATF Was the ATF sent to the distribution list after discussion at the Executive Board? 2
5 Archiving of documentation Have the final report, ATF and supporting audit documentation been archived securely, completely and accessibly? Archiving log, file folder with access controls, version control, backup confirmation 14.6 2
Back to Insights